根据提供的配置创建拒绝政策。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
Go
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM Go API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import (
"context"
"fmt"
"io"
iam "cloud.google.com/go/iam/apiv2"
"cloud.google.com/go/iam/apiv2/iampb"
"google.golang.org/genproto/googleapis/type/expr"
)
// createDenyPolicy creates a deny policy.
func createDenyPolicy(w io.Writer, projectID, policyID string) error {
// You can add deny policies to organizations, folders, and projects.
// Each of these resources can have up to 5 deny policies.
// Deny policies contain deny rules, which specify the following:
// 1. The permissions to deny and/or exempt.
// 2. The principals that are denied, or exempted from denial.
// 3. An optional condition on when to enforce the deny rules.
// projectID := "your_project_id"
// policyID := "your_policy_id"
ctx := context.Background()
policiesClient, err := iam.NewPoliciesClient(ctx)
if err != nil {
return fmt.Errorf("NewPoliciesClient: %w", err)
}
defer policiesClient.Close()
// Each deny policy is attached to an organization, folder, or project.
// To work with deny policies, specify the attachment point.
//
// Its format can be one of the following:
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
//
// The attachment point is identified by its URL-encoded resource name. Hence, replace
// the "/" with "%%2F".
attachmentPoint := fmt.Sprintf(
"cloudresourcemanager.googleapis.com%%2Fprojects%%2F%s",
projectID,
)
denyRule := &iampb.DenyRule{
// Add one or more principals who should be denied the permissions specified in this rule.
// For more information on allowed values,
// see: https://cloud.google.com/iam/help/deny/principal-identifiers
DeniedPrincipals: []string{"principalSet://goog/public:all"},
// Optionally, set the principals who should be exempted from the
// list of denied principals. For example, if you want to deny certain permissions
// to a group but exempt a few principals, then add those here.
// ExceptionPrincipals: []string{"principalSet://goog/group/project-admins@example.com"},
//
// Set the permissions to deny.
// The permission value is of the format: service_fqdn/resource.action
// For the list of supported permissions,
// see: https://cloud.google.com/iam/help/deny/supported-permissions
DeniedPermissions: []string{"cloudresourcemanager.googleapis.com/projects.delete"},
// Optionally, add the permissions to be exempted from this rule.
// Meaning, the deny rule will not be applicable to these permissions.
// ExceptionPermissions: []string{"cloudresourcemanager.googleapis.com/projects.create"},
//
// Set the condition which will enforce the deny rule.
// If this condition is true, the deny rule will be applicable.
// Else, the rule will not be enforced.
// The expression uses Common Expression Language syntax (CEL).
// Here we block access based on tags.
//
// Here, we create a deny rule that denies the
// cloudresourcemanager.googleapis.com/projects.delete permission
// to everyone except project-admins@example.com for resources that are tagged test.
// A tag is a key-value pair that can be attached to an organization, folder, or project.
// For more info, see: https://cloud.google.com/iam/docs/deny-access#create-deny-policy
DenialCondition: &expr.Expr{
Expression: "!resource.matchTag('12345678/env', 'test')",
},
}
// Add the deny rule and a description for it.
policyRule := &iampb.PolicyRule{
Description: "block all principals from deleting projects, unless the principal is a member of project-admins@example.com and the project being deleted has a tag with the value test",
Kind: &iampb.PolicyRule_DenyRule{
DenyRule: denyRule,
},
}
policy := &iampb.Policy{
DisplayName: "Restrict project deletion access",
Rules: [](*iampb.PolicyRule){policyRule},
}
req := &iampb.CreatePolicyRequest{
// Construct the full path of the resource's deny policies.
// Its format is: "policies/ATTACHMENT_POINT/denypolicies"
Parent: fmt.Sprintf("policies/%s/denypolicies", attachmentPoint),
Policy: policy,
PolicyId: policyID,
}
op, err := policiesClient.CreatePolicy(ctx, req)
if err != nil {
return fmt.Errorf("unable to create policy: %w", err)
}
policy, err = op.Wait(ctx)
if err != nil {
return fmt.Errorf("unable to wait for the operation: %w", err)
}
fmt.Fprintf(w, "Policy %s created\n", policy.GetName())
return nil
}
Java
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM Java API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.iam.v2.CreatePolicyRequest;
import com.google.iam.v2.DenyRule;
import com.google.iam.v2.PoliciesClient;
import com.google.iam.v2.Policy;
import com.google.iam.v2.PolicyRule;
import com.google.longrunning.Operation;
import com.google.type.Expr;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
public class CreateDenyPolicy {
public static void main(String[] args)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
// TODO(developer): Replace these variables before running the sample.
// ID or number of the Google Cloud project you want to use.
String projectId = "your-google-cloud-project-id";
// Specify the id of the Deny policy you want to create.
String policyId = "deny-policy-id";
createDenyPolicy(projectId, policyId);
}
// Create a deny policy.
// You can add deny policies to organizations, folders, and projects.
// Each of these resources can have up to 5 deny policies.
//
// Deny policies contain deny rules, which specify the following:
// 1. The permissions to deny and/or exempt.
// 2. The principals that are denied, or exempted from denial.
// 3. An optional condition on when to enforce the deny rules.
public static void createDenyPolicy(String projectId, String policyId)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
try (PoliciesClient policiesClient = PoliciesClient.create()) {
// Each deny policy is attached to an organization, folder, or project.
// To work with deny policies, specify the attachment point.
//
// Its format can be one of the following:
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
//
// The attachment point is identified by its URL-encoded resource name.
String urlEncodedResource =
URLEncoder.encode(
"cloudresourcemanager.googleapis.com/projects/", StandardCharsets.UTF_8);
String attachmentPoint = String.format("%s%s", urlEncodedResource, projectId);
// Construct the full path of the resource to which the policy is attached.
// Its format is: "policies/{attachmentPoint}/denypolicies/{policyId}"
String policyParent = String.format("policies/%s/denypolicies", attachmentPoint);
DenyRule denyRule =
DenyRule.newBuilder()
// Add one or more principals who should be denied the permissions specified in this
// rule.
// For more information on allowed values, see:
// https://cloud.google.com/iam/docs/principal-identifiers
.addDeniedPrincipals("principalSet://goog/public:all")
// Optionally, set the principals who should be exempted from the
// list of denied principals. For example, if you want to deny certain permissions
// to a group but exempt a few principals, then add those here.
// .addExceptionPrincipals(
// "principalSet://goog/group/project-admins@example.com")
// Set the permissions to deny.
// The permission value is of the format: service_fqdn/resource.action
// For the list of supported permissions, see:
// https://cloud.google.com/iam/help/deny/supported-permissions
.addDeniedPermissions("cloudresourcemanager.googleapis.com/projects.delete")
// Optionally, add the permissions to be exempted from this rule.
// Meaning, the deny rule will not be applicable to these permissions.
// .addExceptionPermissions("cloudresourcemanager.googleapis.com/projects.create")
// Set the condition which will enforce the deny rule. If this condition is true,
// the deny rule will be applicable. Else, the rule will not be enforced.
.setDenialCondition(
Expr.newBuilder()
// The expression uses Common Expression Language syntax (CEL).
// Here we block access based on tags.
//
// A tag is a key-value pair that can be attached to an organization, folder,
// or project. You can use deny policies to deny permissions based on tags
// without adding an IAM Condition to every role grant.
// For example, imagine that you tag all of your projects as dev, test, or
// prod. You want only members of project-admins@example.com to be able to
// perform operations on projects that are tagged prod.
// To solve this problem, you create a deny rule that denies the
// cloudresourcemanager.googleapis.com/projects.delete permission to everyone
// except project-admins@example.com for resources that are tagged test.
.setExpression("!resource.matchTag('12345678/env', 'test')")
.setTitle("Only for test projects")
.build())
.build();
// Add the deny rule and a description for it.
Policy policy =
Policy.newBuilder()
// Set the deny rule.
.addRules(
PolicyRule.newBuilder()
// Set a description for the rule.
.setDescription(
"block all principals from deleting projects, unless the principal"
+ " is a member of project-admins@example.com and the project"
+ " being deleted has a tag with the value test")
.setDenyRule(denyRule)
.build())
.build();
// Set the policy resource path, policy rules and a unique ID for the policy.
CreatePolicyRequest createPolicyRequest =
CreatePolicyRequest.newBuilder()
.setParent(policyParent)
.setPolicy(policy)
.setPolicyId(policyId)
.build();
// Build the create policy request.
Operation operation =
policiesClient
.createPolicyCallable()
.futureCall(createPolicyRequest)
.get(3, TimeUnit.MINUTES);
// Wait for the operation to complete.
if (operation.hasError()) {
System.out.println("Error in creating the policy " + operation.getError());
return;
}
// Retrieve the policy name.
Policy response = policiesClient.getPolicy(String.format("%s/%s", policyParent, policyId));
String policyName = response.getName();
System.out.println(
"Created the deny policy: " + policyName.substring(policyName.lastIndexOf("/") + 1));
}
}
}
Node.js
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM Node.js API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
/**
* TODO(developer): Uncomment and replace these variables before running the sample.
*/
// const projectId = 'YOUR_PROJECT_ID';
// const policyID = 'YOUR_POLICY_ID';
const {PoliciesClient} = require('@google-cloud/iam').v2;
const iamClient = new PoliciesClient();
// Each deny policy is attached to an organization, folder, or project.
// To work with deny policies, specify the attachment point.
//
// Its format can be one of the following:
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
//
// The attachment point is identified by its URL-encoded resource name. Hence, replace
// the "/" with "%2F".
const attachmentPoint = `cloudresourcemanager.googleapis.com%2Fprojects%2F${projectId}`;
const denyRule = {
// Add one or more principals who should be denied the permissions specified in this rule.
// For more information on allowed values, see: https://cloud.google.com/iam/help/deny/principal-identifiers
deniedPrincipals: ['principalSet://goog/public:all'],
// Optionally, set the principals who should be exempted from the
// list of denied principals. For example, if you want to deny certain permissions
// to a group but exempt a few principals, then add those here.
// exceptionPrincipals: ['principalSet://goog/group/project-admins@example.com'],
// Set the permissions to deny.
// The permission value is of the format: service_fqdn/resource.action
// For the list of supported permissions, see: https://cloud.google.com/iam/help/deny/supported-permissions
deniedPermissions: ['cloudresourcemanager.googleapis.com/projects.delete'],
// Optionally, add the permissions to be exempted from this rule.
// Meaning, the deny rule will not be applicable to these permissions.
// exceptionPermissions: ['cloudresourcemanager.googleapis.com/projects.create']
//
// Set the condition which will enforce the deny rule.
// If this condition is true, the deny rule will be applicable. Else, the rule will not be enforced.
// The expression uses Common Expression Language syntax (CEL).
// Here we block access based on tags.
//
// Here, we create a deny rule that denies the cloudresourcemanager.googleapis.com/projects.delete permission to everyone except project-admins@example.com for resources that are tagged test.
// A tag is a key-value pair that can be attached to an organization, folder, or project.
// For more info, see: https://cloud.google.com/iam/docs/deny-access#create-deny-policy
denialCondition: {
expression: '!resource.matchTag("12345678/env", "test")',
},
};
async function createDenyPolicy() {
const request = {
parent: `policies/${attachmentPoint}/denypolicies`,
policy: {
displayName: 'Restrict project deletion access',
rules: [
{
description:
'block all principals from deleting projects, unless the principal is a member of project-admins@example.com and the project being deleted has a tag with the value test',
denyRule,
},
],
},
policyId,
};
const [operation] = await iamClient.createPolicy(request);
const [policy] = await operation.promise();
console.log(`Created the deny policy: ${policy.name}`);
}
createDenyPolicy();
Python
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM Python API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
def create_deny_policy(project_id: str, policy_id: str) -> None:
from google.cloud import iam_v2
from google.cloud.iam_v2 import types
"""
Create a deny policy.
You can add deny policies to organizations, folders, and projects.
Each of these resources can have up to 5 deny policies.
Deny policies contain deny rules, which specify the following:
1. The permissions to deny and/or exempt.
2. The principals that are denied, or exempted from denial.
3. An optional condition on when to enforce the deny rules.
Params:
project_id: ID or number of the Google Cloud project you want to use.
policy_id: Specify the ID of the deny policy you want to create.
"""
policies_client = iam_v2.PoliciesClient()
# Each deny policy is attached to an organization, folder, or project.
# To work with deny policies, specify the attachment point.
#
# Its format can be one of the following:
# 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
# 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
# 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
#
# The attachment point is identified by its URL-encoded resource name. Hence, replace
# the "/" with "%2F".
attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
deny_rule = types.DenyRule()
# Add one or more principals who should be denied the permissions specified in this rule.
# For more information on allowed values, see: https://cloud.google.com/iam/help/deny/principal-identifiers
deny_rule.denied_principals = ["principalSet://goog/public:all"]
# Optionally, set the principals who should be exempted from the
# list of denied principals. For example, if you want to deny certain permissions
# to a group but exempt a few principals, then add those here.
# deny_rule.exception_principals = ["principalSet://goog/group/project-admins@example.com"]
# Set the permissions to deny.
# The permission value is of the format: service_fqdn/resource.action
# For the list of supported permissions, see: https://cloud.google.com/iam/help/deny/supported-permissions
deny_rule.denied_permissions = [
"cloudresourcemanager.googleapis.com/projects.delete"
]
# Optionally, add the permissions to be exempted from this rule.
# Meaning, the deny rule will not be applicable to these permissions.
# deny_rule.exception_permissions = ["cloudresourcemanager.googleapis.com/projects.create"]
# Set the condition which will enforce the deny rule.
# If this condition is true, the deny rule will be applicable. Else, the rule will not be enforced.
# The expression uses Common Expression Language syntax (CEL).
# Here we block access based on tags.
#
# Here, we create a deny rule that denies the cloudresourcemanager.googleapis.com/projects.delete permission to everyone except project-admins@example.com for resources that are tagged test.
# A tag is a key-value pair that can be attached to an organization, folder, or project.
# For more info, see: https://cloud.google.com/iam/docs/deny-access#create-deny-policy
deny_rule.denial_condition = {
"expression": "!resource.matchTag('12345678/env', 'test')"
}
# Add the deny rule and a description for it.
policy_rule = types.PolicyRule()
policy_rule.description = "block all principals from deleting projects, unless the principal is a member of project-admins@example.com and the project being deleted has a tag with the value test"
policy_rule.deny_rule = deny_rule
policy = types.Policy()
policy.display_name = "Restrict project deletion access"
policy.rules = [policy_rule]
# Set the policy resource path, policy rules and a unique ID for the policy.
request = types.CreatePolicyRequest()
# Construct the full path of the resource's deny policies.
# Its format is: "policies/{attachmentPoint}/denypolicies"
request.parent = f"policies/{attachment_point}/denypolicies"
request.policy = policy
request.policy_id = policy_id
# Build the create policy request and wait for the operation to complete.
result = policies_client.create_policy(request=request).result()
print(f"Created the deny policy: {result.name.rsplit('/')[-1]}")
if __name__ == "__main__":
import uuid
# Your Google Cloud project ID.
project_id = "your-google-cloud-project-id"
# Any unique ID (0 to 63 chars) starting with a lowercase letter.
policy_id = f"deny-{uuid.uuid4()}"
# Test the policy lifecycle.
create_deny_policy(project_id, policy_id)
Terraform
如需了解如何应用或移除 Terraform 配置,请参阅基本 Terraform 命令。 如需了解详情,请参阅 Terraform 提供程序参考文档。
data "google_project" "default" {
}
# Create a service account
resource "google_service_account" "default" {
display_name = "IAM Deny Example - Service Account"
account_id = "example-sa"
project = data.google_project.default.project_id
}
# Create an IAM deny policy that denies a permission for the service account
resource "google_iam_deny_policy" "default" {
provider = google-beta
parent = urlencode("cloudresourcemanager.googleapis.com/projects/${data.google_project.default.project_id}")
name = "my-deny-policy"
display_name = "My deny policy."
rules {
deny_rule {
denied_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.default.email}"]
denied_permissions = ["iam.googleapis.com/roles.create"]
}
}
}
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。